Skip to content

Commit

Permalink
🔒 fix: update refresh token handling to use plain token instead of ha…
Browse files Browse the repository at this point in the history
…shed token
  • Loading branch information
berry-13 committed Dec 23, 2024
1 parent 04923dd commit 299bb35
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 6 deletions.
7 changes: 2 additions & 5 deletions api/server/controllers/AuthController.js
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ const {
requestPasswordReset,
} = require('~/server/services/AuthService');
const { findSession, getUserById, deleteAllUserSessions } = require('~/models');
const { hashToken } = require('~/server/utils/crypto');
const { logger } = require('~/config');

const registrationController = async (req, res) => {
Expand Down Expand Up @@ -74,11 +73,9 @@ const refreshController = async (req, res) => {
return res.status(200).send({ token, user });
}

// Hash the refresh token
const hashedToken = await hashToken(refreshToken);

// Find the session with the hashed refresh token
const session = await findSession({ userId: userId, refreshToken: hashedToken });
const session = await findSession({ userId: userId, refreshToken: refreshToken });

if (session && session.expiration > new Date()) {
const token = await setAuthTokens(userId, res, session._id);
res.status(200).send({ token, user });
Expand Down
2 changes: 1 addition & 1 deletion api/server/services/AuthService.js
Original file line number Diff line number Diff line change
Expand Up @@ -343,7 +343,7 @@ const setAuthTokens = async (userId, res, sessionId = null) => {
let refreshTokenExpires;

if (sessionId) {
session = await findSession({ sessionId: sessionId });
session = await findSession({ sessionId: sessionId }, { lean: false });
refreshTokenExpires = session.expiration.getTime();
refreshToken = await generateRefreshToken(session);
} else {
Expand Down

0 comments on commit 299bb35

Please sign in to comment.